Cyber Incident Victim: Verkehrsbetriebe Luzern
Date:
May 2022
Location:
Switzerland
Summary
Verkehrsbetriebe Luzern experienced a targeted cyberattack disrupting its online services, including public access to schedules, ticket sales platforms, and mobile application functionalities. The incident caused website unavailability, affecting customer access to transport information and digital transaction systems. While the organization confirmed the attack's occurrence, no specific operational impacts beyond service interruptions or evidence of data compromise were disclosed. The disruption hindered routine customer interactions with critical platforms but did not reveal further details about attack vectors or recovery timelines in the available information.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 0 motives | 0 techniques |
| Threat Actors | Type | Location |
|---|---|---|
| 0 actors | Available to members | Available to members |
Description
On or around May 14, 2022, Verkehrsbetriebe Luzern (VBL), the public transport operator serving Lucerne, Switzerland, experienced a targeted cyberattack. The incident was publicly acknowledged by VBL through a dedicated webpage, though technical issues later rendered this resource inaccessible, returning a 404 error. While VBL did not disclose the specific attack vector in available public communications, external cybersecurity reporting identified the intrusion as a ransomware operation conducted by the Black Basta group. The attackers compromised VBL's IT infrastructure, leading to operational disruptions. Initial response actions involved isolating affected systems to prevent further spread, which resulted in the temporary unavailability of certain digital services. VBL engaged external cybersecurity specialists to assist with forensic analysis and system recovery. The company maintained public communication through alternative channels, advising customers of service limitations while emphasizing efforts to restore normal operations.
The cyberattack disrupted VBL's ticket sales systems and online platforms, impacting customer access to digital services, including mobile app functionalities and electronic payment options. Black Basta claimed responsibility for the attack, alleging exfiltration of approximately 25 GB of corporate data, though VBL did not publicly verify the scope or validity of these data breach claims. Operational continuity measures were implemented, with physical ticket sales and public transport services continuing under alternative procedures during the recovery period. VBL prioritized restoring critical IT systems while maintaining partial service availability through manual processes where feasible. The incident prompted a multi-day recovery effort, with gradual restoration of digital services observed in subsequent days. No further public updates regarding data integrity, ransom demands, or long-term forensic findings were released by VBL in the immediate aftermath of the confirmed attack timeline.